US10147092B2ActiveUtilityA1

System and method for signing and authenticating secure transactions through a communications network

Assignee: PALMA LIZANA MAURICIO EDUARDOPriority: Apr 3, 2012Filed: Apr 3, 2012Granted: Dec 4, 2018
Est. expiryApr 3, 2032(~5.7 yrs left)· nominal 20-yr term from priority
G06Q 20/401G06Q 20/3821H04L 9/3247G06Q 20/4012G06Q 20/3227H04L 9/3226H04L 9/0861G06Q 20/40975G06Q 20/3276G06Q 20/3823
59
PatentIndex Score
4
Cited by
2
References
5
Claims

Abstract

A system to sign and authenticate secure transactions with an institution through a communications network, comprising a terminal connected to a communications network; a remote server with a database that stores for each user the user data userID, a private password encrypted K′priv, userID, a first security password K′mac, userID to generate an authentication password Kmac, userID and an identifier of the mobile device, Id′cel,userID; a mobile communication device of a user comprising a security code pin; an application, a transport password Ktransporte; a public password encrypted K″pub, userID and a second security password K″mac, userID for generating said authentication password Kmac, userID; and a remote hardware security module. A method to sign and authenticate secure transactions with an institution through a communications network with said system.

Claims

exact text as granted — not AI-modified
The invention claimed is: 
     
       1. A method to sign and authenticate secure transactions with an institution through a communications network where a user and a mobile communication device of the user have previously been activated; WHEREIN the method comprises:
 a) entering by the user a user data UserID into a terminal located at a site of the institution, the terminal being connected to a communications network, 
 b) sending from the terminal through said communication network, the user data UserID, a request and a request for signing a petition to a remote server, where said remote server comprises: a database storing the user data userID, a private encrypted password K′ priv, userID , a first security password K′ mac, userID  for generating an authentication password K mac, userID  and an identifier of the mobile communication device Id′ cel, userID ; 
 c) checking in the database of the remote server that for the user data userID, said user is authorized; in case the user is not authorized, then the request is rejected; 
 d) if the user is authorized, sending, from the remote server, the private encrypted password K′ userID  and the first security password K′ mac, userID  of said user to a hardware security module to be decrypted; 
 e) returning from the hardware security module to the remote server a private password K priv, userID  and the authentication password K mac, userID  of said user; 
 f) generating in the remote server a set of signed data D s  using the private password K priv, userID , wherein said signed data D s  comprises at least the user data userID, the date and time of the request, a signature by the private password K priv, userID  and the data in the request; 
 g) generating in the remote server a confirmation code Cod userID, Ds  by a message authentication code and from the authentication password K mac, userID , the set of signed data D s , and the identifier of the mobile communication device Id′ cel, userID ; 
 h) sending the confirmation code Cod userID, Ds  from the remote server to the hardware security module; 
 i) encrypting said confirmation code Cod userID, Ds  by the hardware security module to generate a confirmation code encrypted Cod′ userID, Ds , sending the confirmation code encrypted Cod′ userID, Ds  to the remote server and storing the confirmation code encrypted Cod′ userID, Ds  in the database together with the date and time of creation, and setting a number of validation attempts to zero; 
 j) generating in the remote server a two-dimensional bar code QR from the signed data D s ; 
 k) sending to the terminal the two-dimensional bar code QR and displaying the two-dimensional bar code at the institution's site; 
 l) starting by said user an application in the mobile communication device, wherein said mobile communication device comprises said application, a security code, a transport password K transporte  for decoding activation information, a public password encrypted K″ pub, userID , and a second security password K″ mac, userID  to generate the authentication password K mac, userID ; 
 m) entering by the user the security code in the application of the mobile communication device; 
 n) deriving a temporary password K temp, pin  created on the basis of the security code entered by the user and according to a password derivation algorithm; 
 o) decrypting by the application of the mobile communication device, the public password encrypted K″ pub, userID  with the temporary password K temp, pin  and the second security password K″ mac, userID  to obtain a public password K pub, userID  and the authentication password K mac, userID ; 
 p) capturing and decoding the two-dimensional bar code QR using the application of the mobile communication device; 
 q) validating the private password K priv, userID  of the signed data D s  with the public password K pub, userID ; if validation is false, then the request is rejected; 
 r) if validation is true, generating, by the application of the mobile communication device, the identifier of the mobile communication device Id′ cel, userID  with at least a serial number of the mobile communication device and the authentication password K mac, userID  and the message authentication code; 
 s) generating the confirmation code Cod userID, Ds, Mobile  by said message authentication code and from the authentication password K mac, userID , the signed data D s , the identifier of the mobile communication device, Id′ cel, userID ; 
 t) displaying the confirmation code Cod userID, Ds, mobile  in the application of the mobile communication device along with data in the request; if the data of the request is incorrect, the user can cancel the operation; if the data is correct the method continues to the next step; 
 u) entering the confirmation code Cod userID, Ds, mobile  in the terminal; 
 v) sending from the terminal to the remote server said confirmation code Cod userID, Ds, Mobile ; 
 w) encrypting said confirmation code Cod userID, Ds, mobile  by the hardware security module as a confirmation code encrypted Cod′ userID, Ds, mobile ; 
 x) comparing said confirmation code encrypted Cod′ userID, Ds, mobile  with the confirmation code encrypted Cod′ userID, Ds  received in step i); if the two codes do not match, the request is rejected; 
 y) if the confirmation code encrypted Cod′ userID, Ds, mobile  and the confirmation code encrypted Cod′ userID, Ds  match and the number of validation attempts does not exceed a predefined maximum within a predefined period of time, sending a success code to the terminal to authorize the request. 
 
     
     
       2. A method according to  claim 1 , WHEREIN said two-dimensional bar code QR is a two dimensional code generated by one of a: Quick Response QR Code, PDF417, Data Matrix “Datamatrix”, “MaxiCode” and circular bar code “ShotCode”. 
     
     
       3. A method according to  claim 1 , WHEREIN steps d), e), f) and g) are performed in the hardware security module, and the hardware security module includes a processor and internal memory, where the private encrypted password K′ priv, userID  and the first security password K′ mac, userID  are stored in said hardware security module. 
     
     
       4. A method according to  claim 3 , WHEREIN step x) is also performed by the hardware security module, such that the comparison of said confirmation code encrypted Cod′ userID, Ds, mobile  with the confirmation code encrypted Cod′ userID, Ds  is performed by said hardware security module. 
     
     
       5. A method according to  claim 1 , WHEREIN prior to step a) the activation of the mobile communication device of the user is performed by the following steps:
 a) accessing the site of the institution through a terminal through a communications network and entering the user data UserID; 
 b) downloading from the remote server to the mobile communication device, the application and the transport password K transporte ; 
 c) sending from the terminal to the remote server the user data UserID and an activation request; 
 d) checking in the database of the remote server that for the user data UserID, said user is authorized; in case the user is not authorized, then the activation request is rejected; 
 e) if the user is authorized in d), generating on the remote server the public password K pub, userID , the private password K priv, userID  and the authentication password K mac, userID  that are exclusive for said user data UserID in a temporary memory of said remote server; 
 f) sending from the remote server, the private password K priv, userID  and the authentication password K mac, userID  of the user to the hardware security module and removing from the temporary memory of the remote server the private password K priv, userID ; 
 g) encrypting in the hardware security module, the private password K priv, userID  and the authentication password K mac, userID  as the private encrypted password K′ userID  and the first security password K′ mac, userID  of the user; 
 h) returning from the hardware security module to the remote server and storing in the database, the private encrypted password K′ priv, userID  and the first security password K′ mac, userID  of the user; 
 i) encrypting in the remote server the public password K pub, userID  and the authentication password K mac, userID  by the transport password K transporte  and from them generating a two-dimensional bar code activation; 
 j) capturing and decoding the two-dimensional bar code activation at the site of the institution using the application of the mobile communication device; 
 k) entering the security code by the user in the application of the mobile communication device; 
 l) decrypting the information of the two-dimensional bar code activation by the transport password K transporte  and the application of the mobile communication device to obtain the public password K pub, userID  and the authentication password K mac, userID ; 
 m) deriving with the application of the mobile communication device the temporary password K temp, pin , created on the basis of the security code entered by the user and according to a password derivation algorithm; 
 n) encrypting the public password K pub, userID  and the authentication password K mac, userID  by the application of the mobile communication device using the temporary password K temp, pin  to generate and store in memory of the mobile communication device the public password encrypted K″ pub, userID  and the second security password K″ mac, userID ; 
 o) generating the mobile device identifier, Id′ cel, userID  by the application of the mobile communication device with at least the serial number of the mobile communication device and the authentication password K mac, userID  and a message authentication code; 
 p) generating an activation code concatenating a portion of the public password K pub, userID  and the identifier of the mobile device Id′ cel, userID ; and displaying the activation code on the mobile communication device; 
 q) entering in the terminal the activation code by the user; 
 r) sending the activation code from the terminal to the remote server, identifying the portion of the public password K pub, userID  of said activation code and extracting and storing in the database the identifier of the mobile device Id′ cel, userID ; and 
 s) removing temporary information related to the temporary password K temp, pin  and the security code from the temporary memory of the remote server and removing from the temporary memory of the remote server the public password K pub, userID  and the authentication password K mac, userID  and setting the user as authorized and enabled for user data in the database of the remote server.

Join the waitlist — get patent alerts

Track US10147092B2 — get alerts on status changes and closely related new filings.

We store only your email — no account needed. See our privacy policy.